taking the share out of sharepoint: sharepoint application security
DESCRIPTION
The beauty of SharePoint is you can quickly enable the business to do anything anywhere. That freedom and flexibility can create a serious security risk for your organization. With every service and application you roll out you also roll out new ways for hackers to get at your data. NetSource Secure, HOSTING, and Aspenware are pleased to bring you this critical SharePoint security presentation. In this presentation Senior SharePoint Architect Waughn Hughes and Senior Security Consultant Justin Tibbs will give you the information necessary to assess your SharePoint security risks and develop a plan for mitigating risks.TRANSCRIPT
Why Your SharePoint Applications are a Hackers Best Friend
Waughn HughesWaughn has over 14 years of consulting experience, and has worked
extensively with SharePoint for the past seven years as a developer
and solutions architect.
Solutions Architect | about.me/waughn
Justin Tibbs Justin Tibbs, developed and heads up the security solutions practice
at NET Source, Inc, in Littleton Colorado. Prior to NET Source, Justin
held positions at Cisco Systems, Lockheed Martin, and others,
specializing in the areas of Vulnerability & Threat Research,
Exploitation Development, and Secure Architecture Design.
NET Source Security Director | about.me/justintibbs
Agenda• Introduction
• SharePoint Tips and Tools
Why Your SharePoint Applications are a Hackers Best Friend 4
DefinitionsSecurity Breach
An act from outside an organization that bypasses or contravenes security policies, practices, or procedures.
Security Violation
An act from inside an organization that bypasses or contravenes security policies, practices, or procedures.
Why Your SharePoint Applications are a Hackers Best Friend 5
National Security Agency"This leaker was a sysadmin who was trusted with moving the information to actually make sure that the right information was on the SharePoint servers that NSA Hawaii needed."
- National Security Agency Director and the Pentagon's Cyber Command Commander General Keith Alexander
Why Your SharePoint Applications are a Hackers Best Friend
NSA chief leaks info on data sharing tech: It's SharePoint, By Jack Clark
Clear and Present Danger: Cyber-Crime; Cyber-Espionage; Cyber-Terror; and Cyber-War
6
Why SharePoint?Started as a way to simplify document sharing…
12 years and numerous releases later…
Evolved into a platform for collaboration, document and file management, intranets, extranets, websites, enterprise search, business intelligence, business process automation, social networks, etc…
Used by 78% of the Fortune 500 companies*
Why Your SharePoint Applications are a Hackers Best Friend 7
* SharePoint 2010 : The First 10 Years [http://technet.microsoft.com/en-us/magazine/gg981684.aspx]
SharePoint Security Policy
Why Your SharePoint Applications are a Hackers Best Friend 8
A recent study by Emedia, covered in full by
InfoSecurity magazine in February 2013,
found that only about one-third of
organizations with 25-5000 users employing
SharePoint have security policies covering
the platform.
Installation & Configuration• Windows, SQL Server and .NET Stack
• Security Patching
• Service Accounts
• Service Applications
• Authentication
• Web Applications, Site Collections and Sites
Why Your SharePoint Applications are a Hackers Best Friend 9
Installation & Configuration: Tips• Review and install applicable service packs and cumulative updates
• Plan for least-privilege administration and do not use single account to run SharePoint farm(s)
• Understand the features and configuration options for service applications prior to deployment
• Define authentication methods for the various web and extended web applications
• Develop and use information architecture to define web applications, site collections and sites
• Use metadata to identify data sensitivity
Why Your SharePoint Applications are a Hackers Best Friend 10
Access Control• User Permissions
• Excessive Access
• Administrative Access
Why Your SharePoint Applications are a Hackers Best Friend 11
Access Control: Tips• Train end users on the key permission feature within SharePoint (e.g. security groups,
permission levels, and permissions inheritance)
• Automate the review process to keep rights aligned with business needs
• Enable auditing for sites that contain sensitive information
• Access the need to use database encryption to protect content
Why Your SharePoint Applications are a Hackers Best Friend 12
External Exposure: Demo
Why Your SharePoint Applications are a Hackers Best Friend 13
External Exposure: Tips• Use Google or Bing to check for externally exposed information
• Google Samples: • inurl:"/_layouts/viewlsts.aspx"
• "all site content" filetype:aspx
• Use port scanner like nMap to look for open listeners• Management applications
• Misconfigured web services
• Database listeners (SQL)
• Pretend to be a hacker… Try Shodan, a search engine that lets you find specific types of computers using a variety of filters
Why Your SharePoint Applications are a Hackers Best Friend 14
Development• Cross-Site Scripting
• Cross-Site Request Forgery
• Elevation of Privilege
• Information Disclosure
Why Your SharePoint Applications are a Hackers Best Friend 15
Development: Tips• Understand Code Access Security
• Encode output properly using SPHttpUtility methods
• Do not allow contributor users to add script to the site
• Specify a charset in the Content-Type HTTP response header
• Avoid using AllowUnsafeUpdates where possible
• Check user permissions appropriately
Why Your SharePoint Applications are a Hackers Best Friend 16
Questions?
Why Your SharePoint Applications are a Hackers Best Friend 17
6000 Greenwood Plaza BlvdSuite 110Greenwood Village, CO 80111303.798.5458
www.aspenware.com
Aspenware